Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Friday, June 22, 2007

Now that the manuscript for The Web Application Hacker's Handbook is out of the way, I'll have some proper time to think about the next release of Burp Suite. This will be a major upgrade with lots of new features in all of the tools, including:

Sunday, June 17, 2007

After our success in Amsterdam, Marcus and myself are taking the show on the road and will be presenting the Web Application (In)security course at Vegas in July. The course covers practical techniques for attacking web applications, from the most basic hacks through to advanced exploitation methods. It is a roughly equal mix of presentations and hands-on lab sessions. Some highlights include:

Wednesday, June 13, 2007

I've been taking a look at the ASP.NET ViewState recently, and have done a (rather unscientific) survey of the way it is currently used on Internet-facing web applications. Here are a few statistics, based on a sample of more than 10,000 applications:

version 1.1 - 54%

version 2.0 - 46%

MAC-enabled (v1.1) - 93%

MAC-enabled (v2.0) - 89%

encrypted - 4%

average size - 16.8Kb

The largest ViewState I discovered was a whopping 3.8Mb in size, which appeared in a government web application displaying tables of statistics. Given that the ViewState is posted back to the server with each request, this application is seriously sluggish to use, even with a relatively fast connection.

I was surprised at the number of applications not using the EnableViewStateMac option, given that this is now set by default in ASP.NET. Without this option, the contents of the ViewState can be modified by the user, potentially affecting the application's processing in nefarious ways.

Even with EnableViewStateMac set, users can still decode and read the contents of the ViewState if it has not been encrypted. Application developers may use the ViewState to store arbitrary data, beyond the default serialisation of UI controls. I wonder how many attackers bother to decode and inspect the ViewState to check whether it contains anything of interest. The next version of Burp Suite will include a utility to deserialise and render the ViewState contents, to make this task trivial. A sneak preview is shown below: